Recent findings from cybersecurity firm Kaspersky shed light on a sophisticated malware attack targeting MacBook users in the crypto space.
In the rapidly growing cryptocurrency industry, the widespread adoption of cryptocurrencies has attracted not only legitimate users but also cybercriminals seeking to exploit vulnerabilities.
Kaspersky Lab experts found that attackers repackaged previously cracked applications as Package (PKG) files, a type of file format commonly used on MacBooks, and embedded a Trojan proxy and a post-installation script.
The malware-laden applications were mainly distributed through pirated software channels. Once users tried to install the cracked applications, they unknowingly triggered the infection process. To trick users, the infected installation package displayed a window with installation instructions, instructing them to copy the application to the /Applications/ directory and launch an application called “Activator.”
Collecting Sensitive Data from Infected Mac Systems
Although it seemed unsophisticated at first glance, Activator prompted users to enter a password, effectively granting administrator privileges to the malware. Upon execution, the malware checked the system for an installed copy of the Python 3 programming language and, if it was not present, installed a previously copied version of Python 3 from the MacBook operating system directory.
The malware then “patched” the downloaded application by comparing the modified executable to a sequence encoded within the Activator. If a match was found, the malware removed the leading bytes, making the application appear decrypted and functional to the user.
However, the attackers’ true intentions became evident when the malware initiated its main payload. The infected sample established communication with a command and control (C2) server by generating a unique uniform resource locator (URL) or web address, through a combination of scrambled words and a random third-level domain name. This method allowed the malware to hide its activities within normal DNS server traffic, ensuring the download of the payload.
The decrypted script obtained from the C2 server (a remote server or infrastructure used by cybercriminals to monitor and manage their malware or botnet operations) revealed that the malware operated by executing arbitrary commands received from the server. These commands were often delivered as Base64-encoded Python scripts.
Additionally, the malware collected sensitive information from the infected system, including operating system version, user directories, list of installed applications, CPU type, and external IP address. The collected data was then sent back to the server.
Malware Campaign Targets Crypto Wallet Apps
While analyzing the malware campaign, Kaspersky noted that the C2 server did not return any commands during its investigation and eventually became unresponsive.
However, subsequent attempts to download the third stage Python script led to the discovery of updates to the script’s metadata, indicating continued development and adaptation by malware operators.
Furthermore, the malware contained features specifically targeting popular crypto wallet applications, such as Exodus and Bitcoin-Qt. If these applications were detected on the infected system, the malware attempted to replace them with infected versions obtained from a different host, Apple-analyzer. [.]com. These infected crypto wallets included mechanisms to steal wallet unlock passwords and secret recovery phrases from unsuspecting users.
The cybersecurity firm emphasized that malicious actors continue to distribute cracked applications to gain access to users’ computers. By exploiting user trust during software installation, attackers can easily escalate their privileges by requiring users to enter their passwords.
Kaspersky also highlighted the techniques employed by the malware campaign, such as storing the Python script within a domain TXT record on a DNS server, demonstrating the attackers’ “ingenuity”.
By Leonardo Perez
